Sponsored Ads

The Web Security Mailing List

"Petko Petkov of "ethical hacking" group GNUCitizen has developed a
proof-of-concept program to steal contacts and incoming e-mails from
Google Gmail users.

"This can be used to forward all your incoming e-mail," Pure
Hacking security researcher Chris Gatford said. "It's just a proof of
concept at the moment, but what they're demonstrating is the potential
to use this vulnerability for malicious purposes."

According to Gatford, attackers could compromise a Gmail
account--using a cross-site scripting vulnerability--if the victim is
logged in and clicks on a malicious link. From that moment, the
attacker can take over the session cookies for Gmail and subsequently
forward all the account's messages to a POP account.

"If someone picks up on this before Google fixes it--or if
someone knew of the vulnerability before this guy published it--this
could be very damaging to Gmail users," he added.

The problem is potentially compounded by Google's policy of retaining cookies for two years. "